From dfa944da247f71f4ccf8a18eee30459e6c25caa5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 20 Jul 2011 18:11:05 -0400 Subject: daemons: Remove ipa_kpasswd Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon. --- selinux/Makefile | 5 +-- selinux/ipa-server-selinux.spec.in | 5 +-- selinux/ipa_kpasswd/ipa_kpasswd.fc | 9 ----- selinux/ipa_kpasswd/ipa_kpasswd.te | 80 -------------------------------------- 4 files changed, 4 insertions(+), 95 deletions(-) delete mode 100644 selinux/ipa_kpasswd/ipa_kpasswd.fc delete mode 100644 selinux/ipa_kpasswd/ipa_kpasswd.te (limited to 'selinux') diff --git a/selinux/Makefile b/selinux/Makefile index 62b7bf7e..9e87bdd8 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_kpasswd ipa_httpd ipa_dogtag +SUBDIRS = ipa_httpd ipa_dogtag POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -21,9 +21,8 @@ maintainer-clean: distclean install: all install -d $(POLICY_DIR) - install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR) load: - /usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp + /usr/sbin/semodule -i ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa-server-selinux.spec.in b/selinux/ipa-server-selinux.spec.in index 3387553a..b3c7d89c 100644 --- a/selinux/ipa-server-selinux.spec.in +++ b/selinux/ipa-server-selinux.spec.in @@ -36,7 +36,6 @@ make DESTDIR=%{buildroot} install %files %{_usr}/share/selinux/targeted/ipa_webgui.pp -%{_usr}/share/selinux/targeted/ipa_kpasswd.pp %define saveFileContext() \ @@ -61,7 +60,7 @@ fi; %saveFileContext targeted %post -semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp +semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp %relabel targeted %preun @@ -71,7 +70,7 @@ fi %postun if [ $1 = 0 ]; then -semodule -s targeted -r ipa_webgui ipa_kpasswd +semodule -s targeted -r ipa_webgui %relabel targeted fi diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.fc b/selinux/ipa_kpasswd/ipa_kpasswd.fc deleted file mode 100644 index 2dcf827d..00000000 --- a/selinux/ipa_kpasswd/ipa_kpasswd.fc +++ /dev/null @@ -1,9 +0,0 @@ -# -# /usr -# -/usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0) - -# -# /var -# -/var/cache/ipa/kpasswd(/.*)? gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0) diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te deleted file mode 100644 index 292be7b8..00000000 --- a/selinux/ipa_kpasswd/ipa_kpasswd.te +++ /dev/null @@ -1,80 +0,0 @@ -policy_module(ipa_kpasswd, 1.0) - -######################################## -# -# Declarations -# - -type ipa_kpasswd_t; -type ipa_kpasswd_exec_t; -type ipa_kpasswd_var_run_t; -type ipa_kpasswd_ccache_t; -init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t) - -######################################## -# -# IPA kpasswd local policy -# - -allow ipa_kpasswd_t self:capability { sys_nice dac_override }; -allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms; -allow ipa_kpasswd_t self:udp_socket create_socket_perms; - -files_read_etc_files(ipa_kpasswd_t) -files_search_usr(ipa_kpasswd_t) - -files_pid_file(ipa_kpasswd_var_run_t); -allow ipa_kpasswd_t ipa_kpasswd_var_run_t:file manage_file_perms; -files_pid_filetrans(ipa_kpasswd_t,ipa_kpasswd_var_run_t,file) - -auth_use_nsswitch(ipa_kpasswd_t) - -libs_use_ld_so(ipa_kpasswd_t) -libs_use_shared_libs(ipa_kpasswd_t) - -logging_send_syslog_msg(ipa_kpasswd_t) - -miscfiles_read_localization(ipa_kpasswd_t) - -kerberos_use(ipa_kpasswd_t) -kerberos_manage_host_rcache(ipa_kpasswd_t) -kerberos_read_kdc_config(ipa_kpasswd_t) - -kernel_read_system_state(ipa_kpasswd_t) - -# /var/cache/ipa/kpasswd -files_type(ipa_kpasswd_ccache_t) -manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) -manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) -files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir) - -kernel_read_network_state(ipa_kpasswd_t) -kernel_read_network_state_symlinks(ipa_kpasswd_t) - -corenet_tcp_sendrecv_all_if(ipa_kpasswd_t) -corenet_udp_sendrecv_all_if(ipa_kpasswd_t) -corenet_raw_sendrecv_all_if(ipa_kpasswd_t) -corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t) -corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t) -corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t) -corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t) -corenet_udp_sendrecv_all_ports(ipa_kpasswd_t) -corenet_non_ipsec_sendrecv(ipa_kpasswd_t) -corenet_tcp_bind_all_nodes(ipa_kpasswd_t) -corenet_udp_bind_all_nodes(ipa_kpasswd_t) -corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t) -corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t) -require { - type krb5kdc_conf_t; -}; - -allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms; - -optional_policy(` - gen_require(` - type kerberos_password_port_t; - ') - corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) - corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t) -') - -- cgit